LWN.net Weekly Edition for July 4, 2002
The OpenSSH vulnerability and the disclosure process
By now, presumably, most of you are running on systems with an updated OpenSSH installed. It has been over a week since the "challenge/response" vulnerability was disclosed; there remains, however, a great deal of controversy over how that disclosure happened. According to one point of view, the OpenSSH team withheld specific information on the vulnerability in order to create fear, bring about massive upgrading, and draw attention away from what is, in the end, an OpenBSD-specific vulnerability. Such a view goes over well in the Linux community, where many users upgraded in a hurry only to find out that they never had been vulnerable in the first place. The real story is more complicated, however; it is worth understanding what was going on and how it reflects on how our security processes work.The disclosure of a vulnerability is the opening bell of a high-stakes race between crackers, vendors, and system administrators. Crackers will put amazing amounts of time and energy into the rapid creation of exploit tools, which are then distributed to script kiddies and other "black hat" types worldwide. Before those tools are widespread, vendors have to create an updated package, put out an alert, and get system administrators to actually apply those packages. System administrators who lose the race - either because updates were not available, or because they did not apply those updates - run a serious risk of having their systems compromised.
The time window between the disclosure of the vulnerability and the posting of exploit tools can be less than one day.
This grace period before the exploits appear is at the core of why the OpenSSH team acted the way it did. Through careful information and release management, the OpenSSH developers hoped to maximize the amount of time that system administrators had to secure their systems. They wanted OpenSSH users to be able to begin running the race while keeping the crackers sidelined for a little longer.
The first step, thus, was to put out a vague notice that there was a problem, along with an OpenSSH release which contained the problem without actually fixing it. If the OpenSSH team had released a patch which fixed the real problem, it would undoubtedly have been easier for vendors to tell their users if they were vulnerable. It also would have enabled users to secure their systems - if, indeed, they were vulnerable - by simply disabling the challenge/response feature. But it also have given the crackers the information they needed to develop an exploit. Releasing a warning and enabling privilege separation were actions intended to deny the crackers access to that information. As OpenSSH maintainer Theo de Raadt tells us:
In fact, according to the fourth version of the OpenSSH advisory, even telling users about other workarounds would have released too much information:
For most security vulnerabilities, the accepted procedure is to notify vendor security contacts before the community as a whole so that they can prepare an updated package for their users. There are special, "security contacts only" mailing lists which exist for just this sort of notification. In this case, that procedure was not followed; vendors were told no more than anybody else about the nature of the vulnerability. This was a cause for some disgruntlement in the vendor community, which did not like having its response managed in this way. According to Mark Cox, who handles security at Red Hat:
In fact, when the final Red Hat advisory came out, it noted that most users were not vulnerable and provided a patched version of OpenSSH 3.1. Until the disclosure, however, Red Hat (and other distributors) had no option other than preparing a full OpenSSH 3.3 package, fixing the problems, and pushing it onto the users. Keeping the vulnerability information secret most certainly made life harder for distributors. Now that the information is out and the hole closed, distributors like Red Hat can prepare OpenSSH 3.4 packages with full testing prior to release.
The OpenSSH team did not disclose the vulnerability to vendors for a simple reason: they did not trust those vendors to keep the information secret. Quoting Theo de Raadt again:
I've seen leaks happen. Last week, the resolver issue was released extremely quickly (too quickly I think) because leaks started moving through the FreeBSD and NetBSD communities within hours of their security contacts being informed.
It does not help, of course, that there are some 80 vendors which ship OpenSSH in some product or other. This remains a disturbing claim, however: the free software security contact mechanism, it is said, is not secure. Then again, perhaps the old Ben Franklin quote applies: three may keep a secret if two of them are dead. It is almost certainly unrealistic to expect 80 vendors to keep something under wraps for very long.
So how can our community function in the claimed absence of a working security infrastructure? Should all vulnerabilities be handled the way this one was? The OpenSSH team claims that this bug was special, for a couple of reasons. One is that OpenSSH is now nearly ubiquitous - there are far more ssh servers exposed to the net than web servers, for example. Thus the vulnerability had to be handled with extra care. The other reason, of course, was that there was a way to protect users against exploits without (immediately) disclosing the nature of the problem. From the OpenSSH advisory:
The real answer, according to Theo, is "fast vendors." In the end, for most users, it is still a matter of how quickly their distributor makes an update available. In this case, the first OpenSSH exploit turned up on Bugtraq 22 hours after the disclosure went out. Opinions certainly differ on the best way to give users a head start, but security in the modern world is still a race.
(As a postscript, the OpenSSH team is recommending that all users upgrade to 3.4, even if they are not vulnerable to this particular problem. It has "lots of other fixes people need.")
The 2002 Ottawa Linux Symposium
Your editor, tired after a couple of days of Kernel Summit coverage, decided not to produce talk-by-talk coverage from the Ottawa Linux Symposium. Information from some of the talks will show up in LWN over the next week or two; for people wanting the full details the conference proceedings are available online (as a 3MB PDF file).OLS is increasingly a kernel-oriented event. There were only two GNOME-oriented talks on the schedule this year, and very few others that discussed user-space topics. Kernel topics have always been a big part of OLS, but the kernel is well on the way toward becoming the only topic. Attaching the Kernel Summit to the conference (which might happen again next year) further encourages that trend. That, of course, is entirely acceptable to those of us interested in the kernel. OLS could become the premier worldwide kernel-oriented conference.
Interestingly, the tutorials had a very different orientation, with topics like DocBook and authenticating Windows 2000 users.
Stephen Tweedie talked, in his keynote, of the importance of providing opportunities for hackers to meet face to face. Interactions just go better when you've had a chance to "share a pint" with your collaborators and when you are able to associate a face with the email address. Thus, as a community, we need events like OLS. So it is encouraging to see that OLS attendance was back up this year.
One final note to the joker who thought your editor should win a copy of Running Weblogs With Slash: that's not funny...
The importance of saying "thanks"
Jon 'maddog' Hall gave a talk at the OLS reception on the first day of the conference. Those who have heard other maddog talks would certainly recognize the collection of "amusing stories from maddog's travels" theme of this one. Mr. Hall did, however, make a new and worthwhile point this time around.Users of free software (and we all are, in one way or another) often have many things to say to the developers of that software. They send in feature requests and bug reports. They ask where the next release is. They want help making things work. They complain about vulnerability disclosure policies. They post snide comments about the quality of the code or the documentation.
It is relatively uncommon for free software users to simply say "thanks."
Every line of free code is a gift from the developer (or from whoever paid for the developer's effort). Nobody is entitled to free software; it's a windfall, a present from those who created it. All told, it is a gift worth, by most accounts, billions of dollars.
A little gratitude goes a long way. The next time you deal with a developer of a package that you use, consider throwing in a brief "thank you." The developers have earned it.
Security
Brief items
OWASP Guide to Building Secure Web Applications
Congratulations to the Open Web Application Security Project on this, its first release. OWASP's Guide to Building Secure Web Applications" is now available in HTML or PDF format.
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com.
TCPA / Palladium Frequently Asked Questions
Ross Anderson has released version 0.1 of of TCPA / Palladium Frequently Asked Questions. Ross Anderson is the leader of the Computer Security Group at the University of Cambridge Computer Laboratory. His recent paper (available in PDF format) on security in open vs closed systems was the subject of articles in the New York Times and News.com as well as last week's Security page.BIND 4.9.8-OW2 and 4.9.9-OW1 released
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux.
Details on the vulnerability are available in the CERT Advisory.
TurboLinux updates
Turbolinux, it seems, quietly put out a big pile of updated RPMs on the Turbolinux Security Center in the first half of June. No advisories, just RPMs. Although they do not address the current apache or ssh problems, this is still a welcome sign that TurboLinux may be taking security more seriously. We expressed concern with the lack of security updates from TurboLinux back in January.
Security reports
Apache worm on the loose
It is way past time to upgrade your Apache servers. A worm which takes advantage of the "chunk handling" vulnerability has been sighted, and its source has been publicly posted. For a list of distributor alerts, see the vulnerability report.The June 2002 Netcraft Web Server Survey estimated that as of July 1st there were still "around 14 Million potentially vulnerable Apache sites."
ZDNet covered the worm with articles on its history and speculation on the potential for a new wave of network attacks. Robert Lemos chronicled the mildness of the worm's impact so far for CNET News.com in articles published June 28th and July 1st. Capture of the worm in a honeypot system was reported on June 28th.
XSS not in stable Slashcode
Despite a report to the contrary this week, Jamie McCarthy assures us that the cross site scripting vulnerability which took down slashdot.org is not in the 2.2.5 release, or any other stable release. "The bug was introduced in CVS on June 17 and was fixed on July 1."Cross site scripting vulnerability in Betsie
Betsie version 1.5.11, and all versions before, have a cross site scripting vulnerability which is fixed in version 1.5.12.
Acrobat reader 5.05 temporary files
Paul Szabo reports a symlink attack vulnerability in Acrobat Reader 5.05. Acroread uses a file it creates with wide open permissions (mode 666) in /tmp; "it also follows symlinks." Jarno Huuskonen reported a similar vulnerabilty in Acrobat Reader 4.05 last week.Xitami 2.5 Beta script injection vulnerabilities
Script injection vulnerabilities were reported in Xitami 2.5 Beta from iMatix. Xitami is a high performance portable web server.
New vulnerabilities
Apache mod_ssl off-by-one local code execution and DoS vulnerability
| Package(s): | libapache-mod-ssl mod_ssl | CVE #(s): | CAN-2002-0653 | ||||||||||||||||||||||||||||||||
| Created: | July 2, 2002 | Updated: | August 14, 2002 | ||||||||||||||||||||||||||||||||
| Description: | Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
For more information see the announcement. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Resources
Apache and OpenSSH Vulnerabilities (Linux Journal)
Linux Journal explains to Linux newbies how to deal with the latest Apache and OpenSSH security vulnerabilities. "If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check."
Linux Security Week
The July 1st Linux Security Week newsletter from LinuxSecurity.com is available.
Events
Registration for H2K2 New York City closes this week.
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| July 12 - 14, 2002 | H2K2 "Hacker" conference | New York City |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Kernel development
Brief items
Current release status
The current development kernel remains 2.5.24. Linus has not released any kernels - or surfaced on the linux-kernel mailing list - since before OLS and the Kernel Summit. Some patches are beginning to show up in his BitKeeper tree, however; they include some SCSI updates, an NTFS update, and, interestingly, a change of the internal x86 clock frequency to 1000 Hz.The current stable kernel release is still 2.4.18. No new 2.4.19 release candidates have been announced in the last week.
The latest 2.5 kernel status summary from Guillaume Boissiere came out on July 3.
Kernel development news
A safe SCHED_IDLE implementation
A longstanding kernel feature request is a SCHED_IDLE scheduler class. Tasks running as SCHED_IDLE would only run when the processor would otherwise be idle. The "niceness" scheme in the current scheduler does not provide this behavior: even the lowest-priority processes will run sometimes. Users who want to search out encryption keys, model proteins, or search for extraterrestrial life on their systems generally want that work to not take any time from other tasks running on the system. Thus the request for SCHED_IDLE.In principle, SCHED_IDLE is not that hard to implement. The problem, of course, is the classic priority inversion trap. If a SCHED_IDLE process acquires an important shared resource, such as an internal filesystem semaphore, there is no way to know how long the process may have to wait before it can run long enough to release that resource. A SCHED_IDLE process can be preempted at any time by a higher-priority process; it could then keep needed resources unavailable indefinitely. Priority inversion problems can come up by themselves; this situation could also be brought about intentionally as a denial of service attack.
So far, no solution to this problem has been implemented, so no SCHED_IDLE patch has ever been merged into the kernel. It is easier to simply ensure that every process makes a little progress occasionally so that priority inversion problems resolve themselves.
Now Ingo Molnar has posted a patch which, he claims, implements SCHED_IDLE (which he calls SCHED_BATCH) in a safe way. Those who are curious are encouraged to read his posting, which describes the work in far more detail than you will find here.
The fundamental observation behind Ingo's approach is that processes only hold important kernel resources, such as semaphores, when they are running in kernel mode. If a SCHED_BATCH process is preempted when running in user mode, it is safe to set that process aside indefinitely. If, instead, it is running in kernel mode, it must be allowed to finish it work within a reasonable period of time.
So Ingo's patch splits the schedule() call into two variants. schedule_userspace() is called when the preempted process is running in user mode; it implements the full SCHED_BATCH semantics. schedule(), instead, is invoked when the process is in kernel mode; it will handle a SCHED_BATCH process like any other, normal process. Thus SCHED_BATCH processes essentially have their priorities raised while running in kernel mode.
Raising the priority of processes that hold critical resources is a classic response to priority inversion problems. Ingo's patch takes a slightly simpler approach by treating the entire kernel as such a resource. This patch will raise the priority of SCHED_BATCH processes a bit more than is strictly necessary; the approach should be robust, however, and the difference in scheduling behavior would be difficult to measure.
A use for IDE taskfile access
A number of people have complained about the removal of the IDE taskfile operations from the 2.5 version of the driver. For anybody wondering why people might want this obscure capability, consider this posting from Scott Tillman. Scott is working on the "port Linux to the XBox" effort. It turns out that the XBox IDE drive will not allow access to its sectors until a special, vendor-specific "password" command has been run. Taskfile access is needed to be able to issue that password.Of course, providing taskfile access so that this command can be issued could, with a broad reading, be seen as a violation of the DMCA's anticircumvention measures. It is a bit of a stretch, and depends on whether the special command is just seen as vendor-specific initialization, or whether it is really a "technological measure" for copyright protection. Unfortunately, a broad reading of the DMCA seems to be in vogue in the U.S. these days.
The XBox team, meanwhile, has a bunch of code it has written for dealing with the XBox partition scheme and filesystem. They will port it to 2.5 if it appears that it might actually get merged. That may well happen; the fun of running Linux on Microsoft-subsidized hardware could be irresistible.
Incrementally improving the SCSI subsystem
James Bottomley gave a talk at OLS on the plans for improving the SCSI subsystem. It went into more detail than the Kernel Summit presentation, and included the outcomes from the Summit discussion. Places where work will be done include:- Elimination of the SCSI exception table
- Generic tagged command queueing
- Implementation of write barriers
- Reworking the error handler
- Multipath device support
- Getting rid of the midlayer
The SCSI exception table is an in-kernel list of about 90 (in 2.4.18) SCSI devices which are known to be poorly behaved; this list only continues to grow as manufacturers make more and more stupid devices. Many of these devices misbehave if you try to access a logical unit number other than zero; others demonstrate more creative sorts of problems. In any case, this sort of constantly growing blacklist is not the kind of data structure you want to have taking up more and more kernel space.
The answer here, of course, is to move this table (and its associated processing) into user space. Rather than handle SCSI device scanning in the kernel, the SCSI subsystem will just use the /sbin/hotplug mechanism and let a user space program handle the details. James likes this solution because it cleans up the SCSI code, and the hotplug code support "is Greg KH's problem." Greg's enthusiasm was rather more restrained.
Tagged command queueing (TCQ) changes were discussed at the Kernel Summit as well. Each SCSI adaptor driver has its own TCQ implementation, which is not the right way to do it. So TCQ support will be done in the generic block layer code instead (James once again notes, with satisfaction, that in the block layer it's somebody else's problem).
One big remaining problem is "tag starvation," where a disk ignores a request for a long time while dealing with (newer) requests that it can satisfy more quickly. Options for fixing this problem including using ordered tags (which force the completion of all previous tagged operations) or just shutting down the request queue until the neglected request gets handled. Either approach could work; the request queue throttling technique is thought to be less hard on the overall performance of the system.
Write barriers are needed for journaling filesystem support; they can be implemented with ordered tags. The real problem here, as it turns out, is error handling. If a write barrier operation fails, subsequent operations could be executed out of order. Another issue is the "queue full" problem: the drive rejects the barrier operation because its command queue is full, but then accepts a command issued after the barrier. This is a sort of race condition which is difficult, if not impossible, to produce on real systems, but it is a problem which can occur.
The current SCSI error handler is a "pluggable" mechanism which allows the provision of operations for a set of predefined situations. The "pluggable" interface is never been used - everybody uses the default error handlers, which are seen as being heavy-handed and insufficiently smart. The new error handler should also handle things like command cancellation - a feature required by asynchronous I/O.
The new error handler should, instead, be message-oriented, allowing greater flexibility in what sorts of situations can be dealt with. It should also be stackable and available to higher levels. Volume managers and RAID, for example, want a detailed picture of exactly what sort of errors are happening so that they can respond intelligently; "bad block" requires a different response than "drive on fire," but there is currently no way for higher levels to tell the difference.
In the end, much of the error handling code needs to move into, of course, the block layer. IDE drives also have errors, and higher-level code should not have to know the difference. So, happily (for James), much of it becomes somebody else's problem.
Support for multipath devices, too, should be implemented in the block layer - and thus be somebody else's problem. One big issue with multipath devices is the preservation of write barriers. A command which is meant to execute after a write barrier could be sent via a different path and overtake the barrier operation.
The death of the midlayer is expected to be "a slow process via starvation." The internal SCSI request structure may be replaced by the generic block level version, and much of the current SCSI functionality will migrate up to the higher levels. The end result will be a vastly thinner SCSI midlayer which has had most of its functionality moved up to the higher layers. This work, of course, will allow more common code to be shared across disk subsystems. It also means that, for example, the ide-scsi driver can be eliminated. Under the new system, it will be a straightforward task to connect the high-level SCSI code with the low-level IDE transport.
This is all a big job, of course; it is not expected to be done by the 2.5 feature freeze.
Patches and updates
Kernel trees
Architecture-specific
Build system
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Miscellaneous
Page editor: Jonathan Corbet
Distributions
Distribution News
Debian News
The Debian Weekly News for July 2, 2002 is out. This edition speculates that UnitedLinux will be based on the Debian distribution (since there is no other way to "include" Debian as Caldera UnitedLinux leader Ransom Love has said he wants to do). Addition topics include Java Beans for Debian People, Security Updates for Woody, and much more.Another revision of Debian 2.2 (potato) is underway. Debian GNU/Linux 2.2r7 should be available soon. Security fixes and critical bug fixes are the focus of this release.
Henrique de Moraes Holschuh has published a paper that details the operation of Debian init scripts. The paper is derived from a talk that will be given at the upcoming Debconf2.
Debian Project Leader Bdale Garbee announced that Mako has been delegated to help handle project donations. Also, Debian will be joining OASIS, the Organization for the Advancement of Structured Information Systems. Mark Johnson has been appointed as Debian's initial official representative to OASIS.
Mandrake Linux
MandrakeSoft announced that it is cooperating with AMD to port Mandrake Linux to the forthcoming eighth-generation AMD Athlon and AMD Opteron processor-based platforms.Mandrake Linux has a new package available that provides older distributions with the same rpm macros that are available in Mandrake Linux 8.2.
Limbo: a new Red Hat Linux beta
Red Hat has announced "Limbo," a new beta version of the Red Hat Linux distribution. It includes gcc 3.1, the 1.0 releases of Mozilla and OpenOffice, the "latest desktop technology," and more. "Such beta software as LIMBO is not intended for use on mission critical or production systems. Use on such systems could lead to loss of uptime, data, money, employment, or sentience".
SuSE News
SuSE has announced several new products including the SuSE Linux Groupware Server, SuSE Linux eMail Server 3.1, and the SuSE Linux Pro-Office CD with StarOffice®.Terra Soft ships Yellow Dog Linux 2.3
Terra Soft Solutions has announced the release of Yellow Dog Linux 2.3. YDL is a PowerPC distribution, of course; this release includes KDE 3, a 2.4.19 kernel (even though said kernel has not yet been released), OpenOffice 1.0, and more.
New Distributions
uClibcLinux
uClibcLinux is a Linux distribution based on uClibc. This source-based distribution has two main goals: - provide an easily extensible build-system - provide a repository of software compiling and running with uClibc. Initial version 0.4.5 was released June, 25, 2002.
Minor distribution updates
Aurora Sparc Project
The Aurora Sparc Project has released build 0.3 (Phoenix). With the exception of Anaconda, Phoenix is a complete Red Hat 7.3 based tree, including KDE3, Gnome 1.4, XFree86 4.2.0, a 2.4.18 kernel, and both gcc 2.96 and 3.1 compilers.Bernhard's Bootable Linux CD
BBLCD has released version 0.7.2 with major feature enhancements.Engarde Secure Linux
Engarde Secure Linux has released version 1.2 (Professional). "Professional features include a network gateway firewall, network address translation, secure network services, virtual Web site hosting, complete Web site development, broadband connectivity, secure Web management, built-in support and alerts, Security Control Center, network intrusion detection, host intrusion detection, monitoring of system access, protection against data loss, Guardian Digital Secure Network Service, and much more."
Two new versions of Enterprise Linux
ImageStream has released two new versions of Enterprise Linux for its router customers, Enterprise Linux 3.2.3, and Enterprise Linux 4.0.0.floppyfw
floppyfw has released stable version 1.0.13 with minor feature enhancements.LEAF (Linux Embedded Appliance Firewall)
The LEAF branch WISP-Dist released version 2213. "WISP-Dist is a LEAF release/branch for wireless routers, but can be used for other purposes as well. The entire system fits in 8 MB flash/16 MB RAM. Highlights include an easy-to-use menu interface, commandline access, an Access Point mode (on selected cards), OSPF/RIPv2, bandwidth shaping, NAT, and other goodies."
Leka Rescue Floppy
Leka Rescue Floppy has released stable version 0.7.0 with major feature enhancements.Linpus Linux 8.2 Release
Linpus Technologies, Inc announced the release and availability of the Linpus Linux 8.2 desktop and server operating system.MkLinux Security Update
MkLinux has released a security upgrade for recent OpenSSH vulnerabilities. This requires upgrading both OpenSSL and OpenSSH to versions 0.9.6d and 3.4p1, respectively. "Some advanced features have not been fully tested due to insufficient prior notice. This upgrade is strictly use-at-your-own risk."
PXES Linux Thin Client
PXES Linux Thin Client has released version 0.5-Beta4 with major feature enhancements.Sentry Firewall CD-ROM
Sentry Firewall has released version 1.3.0-3. "OpenSSH, BIND, and Apache have been updated to fix recent bugs. The HOWTO has been updated to accomodate new project branches."
Page editor: Rebecca Sobol
Development
AxKit
AxKit is an Apache-based XML Application Server. The AxKit home page says: "It provides on-the-fly conversion from XML to any format, such as HTML, WAP or text using either W3C standard techniques, or flexible custom code. AxKit also uses a built-in Perl interpreter to provide some amazingly powerful techniques for XML transformation."
AxKit has these features:
- Content is sent through an XSLT based pipeline with conversion being performed at different stages.
- Content may be presented in different ways to different viewers.
- Media output types include web browsers, palmtops, cell phones, Television, aural, print, projection, and text-only.
- A wide variety of character sets are supported.
- Output may be compressed with GZip for use over slow lines.
- AxKit uses a replaceable component architecture, allowing for easy customizaton.
- XML transformations can be cached for server efficiency.
- AxKit allows XML information to be pulled from a database or generated from a database query.
- AxKit supports dynamic Perl-based web components for CGI-style capabilities.
- A Perl interpreter is built-in, improving CGI overhead.
- AxKit runs on a wide variety of operating system platforms.
For more information on AxKit, see the following documents:
AxKit is licensed under the Apache Software License.
Two AxKit based projects are listed below under Web Site Development.
System Applications
Audio Projects
Ogg Traffic for Monday, July 1, 2002
The July 1, 2002 edition of Ogg Traffic is out, following a six month hiatus. Check it out for the latest Ogg Vorbis status. There is also an announcement for the new Ogg Theora VP3 video project.
Web Site Development
Taglib TMTOWTDI (Perl.com)
Barrie Slaymaker shows how to write Taglibs with AxKit. "As with many Perl systems, AxKit often provides multiple ways of doing things. Developers from other programming cultures may find these choices and freedom a bit bewildering at first but this (hopefully) soon gives way to the realization that the options provide power and freedom." AxKit is an XML Application Server for Apache.
CallistoCMS - AxKit CMS Goodness (use Perl)
Use Perl has an announcement for a first release of the Callisto content management system from Michael Nachbaur "I haven't tried it yet, but it sounds cool, with features like WYSIWYG XML content editing, transactional site deployment to multiple servers in a farm, vhosting support, and so on."
mnoGoSearch 3.1.20 and mnoGoSearch-php-3.2.0.beta4
mnoGoSearch 3.1.20 and mnoGoSearch-php-3.2.0.beta4 have been released. The former is a security patch release, and the latter adds a few minor code changes
Web Services
Are Your Web Services Working Correctly? (Linux Journal)
Linux Journal shows how to use Linux, Perl and other free software to check your web services. "To help with this identification process, I started to think about an application that would periodically perform a series of checks on URLs to alert us in case of problems. I'd previously found that the perfect language for me was Perl. I'd learned it writing some little CGI scripts, and I've enough confidence with it to prefer it to other languages."
Miscellaneous
Developing a Linux command-line utility (IBM developerWorks)
Vasudev Ram explains the details of command-line utility writing on IBM's developerWorks. "Learn how to write Linux command-line utilities that are foolproof enough even for end users. Starting with an overview of solid command-line best practices and finishing with a comprehensive tour of a working page-selection tool, this article gives you the background you need to begin writing your own utilities."
Desktop Applications
Desktop Environments
KDE 3.0.2 released
KDE 3.0.2 has been released. "KDE 3.0.2 primarily provides useability and stability enhancements over KDE 3.0.1, which shipped in late May 2002."
Games
New on PyGame
The PyGame site has an announcement for version 1.5 of the Pygame module set. "After a solid three week testing on the release candidate, the latest version is ready. Big new features for the audio modules. Sound panning for stereo effects, better control over music playback, and a new sndarray module for creating your own realtime sound effects with Numeric. A wide variety of other new features like alpha preserving blits, gamma ramp control, and saving tga images." Several new game versions are also available on the site.
Graphics
Graphics programming with libtiff (IBM developerWorks)
Michael Still shows how to work with libtiff for the generation of raster images on IBM's developerWorks. See part 1, which was published in March, and part 2, which was published in June.
GUI Packages
Office Applications
AbiWord Weekly News #98
Issue #98 of the AbiWord Weekly News is out. The main topic this week is the appearance of a number of new UNCONFIRMED bugs.KC GNUe #35
Issue #35 of Kernel Cousin GNUe is available. Topics include Application Server triggers, Bayonne and GNUe Workflow, Checkboxes and button triggers in Forms, Using XML to describe database schemas, Testing the 0.3.0 releases on Microsoft Windows, Tooltips in Forms, GNUe Documentation, Foreign Key drop-down boxes, Multi-table Datasources, Head and branch in CVS, Spam on GNUe's bug-tracking e-mail gateway, Two-column drop-down boxes for foreign keys and NOLA as a free alternative to GNUe Financials.KOffice 1.2beta2 is Out!
KDE.News has an announcement for version 1.2beta2 of KOffice. "KOffice 1.2beta2 is out, sporting an impressive number of changes, with improvements all around the board including substantial filter improvements, footnotes in KWord, and templates in KSpread."
Miscellaneous
KWinTV Rewrite Alpha 1
KDE.News has an announcement for the Alpha 1 release of KWinTV, a video display application for KDE. "This release is intended as a basic demonstration of the design of the application. It provides functionality in the form of support for Xv video streams, OSS mixer (/dev/video, mixer 0), and XML channel files. It most likely only works on Linux, and in fact may only work on ia32 hardware."
Bluefish 0.7
Version 0.7 of the Bluefish HTML editor has been released. Changes include numerous bug fixes, more translations, custom search and replace macro's, and memory leak fixes. A new gtk2 port is also available.
Languages and Tools
Java
Struts and Tiles aid component-based development (IBM developerWorks)
Wellie Chao shows how to work with Java Struts and Tiles. "The Model-View-Controller (MVC) framework is a proven and convenient way to generate organized, modular applications that cleanly separate logic, style, and data. In the Java world, Struts is one of the best-known and most talked about open source embodiments of MVC. Struts contributors have recently enhanced the project's core functionality and improved the view support, incorporating the Tiles view component framework to strengthen support for component-based development, to increase reuse, and to enhance consistency."
Perl
This week on Perl 6 (Perl.com)
Perl.com's This week on Perl 6 is out for June 24-30, 2002. Topics include System calls/spawning new processes, Ruby iterators, Fun with the Perl 6 Grammar, The Increasingly Misnamed 'Perl5 humor' Thread, stack performance, and more.Synopsis 5 (Perl.com)
Allison Randal and Damian Conway summarize Larry Wall's Apocalypse 5 document.
PHP
PHP Weekly Summary for July 1, 2002
The July 1, 2002 edition of the PHP Weekly Summary covers bugs with ZE2 $argc/$argv and Win32 snapshots, fixes for Apache 2 support, PHP and Java, Session handling with MM, and LDAP functions, and a new phpinfo() with CLI.
Python
Dr. Dobb's Python-URL
Dr. Dobb's Python-URL for July 1 is out, with the latest happenings from the Python community.Daily Python-URL
This week's entries on the Daily Python-URL include a EuroPython Diary, Pyzzle, the Python Database Application Programming Interface, Stackless Python for PowerPC, Wrap your mind around Python, OfflineIMAP, String manipulation and regular expressions, an interview with Jürgen Hermann, the Python Object Database, the Pymps PYthon Music Play System, and more.
Ruby
Ruby Weekly News
The July 1, 2002 edition of the Ruby Weekly News looks at Ruby-GetText-Package-0.3.0 and Ruby-GNOME 0.29, and features discussions on Perl vs. Ruby, Ruby on the Palm, the Gvim interface to the ruby debugger, and documentation licenses.
Tcl/Tk
This week's Tcl-URL
Dr. Dobb's Tcl-URL for July 1 is out; it looks at the 3rd Tcl'Europe Conference, the new ActiveTcl releases, tDOM 0.7.1, and more.
XML
Cataloging XML Vocabularies (O'Reilly)
Eric van der Vlist writes about XML vocabularies on O'Reilly. "I've been involved recently in many discussions and projects oriented around a simple and common question: "how do I create an XML vocabulary?" The formulation was often different -- "how do I create a namespace?" or "how do I publish an XML schema?" -- but the central issue was always about what infrastructure to create and which methods should be used to advertise the newly created vocabulary."
Simple XML Parsing with SAX and DOM (O'Reilly)
Philipp K. Janert illustrates XML parsing on O'Reilly. "In this article, I would like to offer an accessible introduction to the two most widely used APIs: SAX and DOM. For each API, I will show a sample application that reads an XML document and turns it into a set of Java objects representing the data in the document, a process known as XML 'unmarshalling.'"
Miscellaneous
Getting Loopy with Python and Perl (O'Reilly)
O'Reilly is running an article by "Aahz" in which Python and Perl looping constructs are compared.Tracking Software Development Projects (Dr. Dobb's)
Joe Marasco writes about the tracking of software development on Dr. Dobb's. "Why do these seemingly different activities all exhibit S-Curve behavior? What underlying forces produce this curve over and over again? To address these questions, I'll focus on the software development process."
Page editor: Forrest Cook
Linux in Business
Business News
Why MandrakeSoft will not join UnitedLinux
MandrakeSoft has released a document detailing the reasons why they will not join United Linux. "On the other hand, MandrakeSoft would gain nothing by joining United Linux, and doing so would damage our reputation. Joining United Linux could destroy many of the features that have made Mandrake Linux so widely popular, such as our 'easy to install, easy to use' approach. It should be noted that several recent polls indicate that the four United Linux companies currently rank lower than Mandrake Linux in market share."
IBM launches "Linux Virtual Services"
IBM has put out a press release for its new "Linux Virtual Services" offering. Essentially, they are renting out Linux partitions on a zSeries mainframe. "Instead of the physical Web, database and application servers they rely on now, customers tap into 'virtual servers' on IBM zSeries mainframes running Linux in a secure hosting environment, paying only for the computing power and capacity they require."
Opera releases 6.02 for Linux; signs deal with SuSE
Opera Software has announced the release of Opera 6.02 for Linux. "The new version includes important fixes to the document and user interface, with special emphasis on the display of Asian characters, making this an important upgrade for Linux users all over the world.Also announced is a distribution agreement with SuSE; Opera will be bundled with the SuSE Linux 8.0 release.
June 2002 Netcraft Web Server Survey
The June, 2002 Netcraft Web Server Survey is out. Apache use is up, and a there is a discussion of several recent web server vulnerabilities.Linux Stock Index for June 28 to July 03, 2002
LSI at closing on June 28, 2002 ... 23.07
LSI at closing on July 03, 2002 ... 22.17
The high for the week was 23.07
The low for the week was 21.52
Press Releases
Open Source Announcements
- Open Source Development Lab (BEAVERTON, Ore.): OSDL Delivers on Carrier Grade Linux Roadmap With Carrier Grade Linux Documents and Developer Web Site.
Distributions and Bundled Products
Software for Linux
- Archaeopteryx Software, Inc (Brookline, MA): Write Software Faster with Wing IDE for Python Version 1.1.5.
- Axeda Systems (MANSFIELD, Mass.): Axeda Access Release 1.5 Enhances Remote System Administration of Windows and UNIX Devices via the Internet.
- Codemesh, Inc. (CARLISLE, Mass): Codemesh Releases JunC++ion on Windows, Solaris, and Linux; Solutions for Language Integration.
- Cylant (Moscow, ID): New IDS Upgrade Announced.
- Fluent, Inc (LEBANON, N.H.): Fluent Releases Icepak 4.0 Electronics Cooling Simulation Software; New Version Extends Time-to-Solution Lead; Features Non-Conformal Meshing.
- Global MAINTECH Corp. (MINNEAPOLIS): Global MAINTECH Announces LINUX Version of the Virtual Command Center.
- H.A. Technical Solutions (HATS) (MINNEAPOLIS): Leading Provider of High Availability and Data Replication Software, H.A. Technical Solutions, Certifies Solutions on IBM eServer Systems at IBM Porting Center.
- MetiLinx, Inc. (SAN MATEO, Calif.): HP Validates IT Infrastructure Performance Gains With New MetiLinx iSystem Enterprise 2.8 Release.
- Jabber, Inc. (DENVER): Jabber, Inc. Expands WebClient, Extending Capabilities of IM to Web Browsers and Portals.
- Mindwrap (FLINT HILL, Va.): Mindwrap's OPTIX Available on GSA; Optix Document Management and Workflow System Products, Training and Related Services Now Available On GSA contract GS-35F-0394M.
- Okino Graphics (Toronto, Ontario): Okino Computer Graphics licenses HOOPS Stream Toolkit from Tech Soft America; Okino's Popular NuGraf and PolyTrans products now support the HSF file format and the OpenHSF Initiative.
- Parasoft (MONROVIA, Calif.): Parasoft WebKing 3.5 Integrates Automated SOAP testing and Web Services Verification.
- Tek-Tools, Inc (DALLAS): Tek-Tools Ships Storage Profiler Backup.
- The Plum Group (BOSTON and EDINBURGH, Scotland): Plum VoiceXML IVR Enhanced With Open Source Festival TTS Components.
Products and Services Using Linux
- Cirrus Logic Inc. (AUSTIN, Texas): Cirrus Logic MPEG A/V Codec Incorporated Into Intel Media Center Reference Design.
- Critical Path, Inc. (SAN FRANCISCO, CA): Critical Path Announces Support for IBM zSeries and S/390 Mainframes Running Linux.
- IBM (ARMONK, N.Y.): Era of e-Business On Demand Accelerates With IBM Delivery of Computing Power On Tap.
Hardware with Linux support
- Cybernet Systems Corporation (ANN ARBOR, Michigan): Cybernet's NetMAX Internet Appliance Software Now Available as Turnkey Hardware Solution.
- JNI Corporation (SAN DIEGO): JNI Corp. Ships Red Hat Linux Driver for 2 Gb Fibre Channel HBAs, Targets Enterprise-Class, Linux-based Database Environments.
- OnStream Data (AUSTIN, Texas): OnStream Launches 60 and 120GB SCSI Digital Tape Drives.
- Quatech, Inc. (AKRON, Ohio): Upgraded Quatech Serial PCMCIA Cards Provide Industry Leading Speeds and Dramatically Reduced Power Requirements.
Java Products
- Rococo Software (DUBLIN, IRELAND): Rococo Gets Thumbs-up from Bluetooth Simulator Users.
Books and Documentation
- No Starch Press: Contract Signed for PostNuke Book!.
- O'Reilly and Associates (Sebastopol, CA): "XML in a Nutshell, Second Edition" Released by O'Reilly.
- O'Reilly and Associates (Sebastopol, CA): "Network Security with OpenSSL" Released by O'Reilly.
Training and Certification
- Free Standards Group (OAKLAND, Calif.): The Free Standards Group Announces LSB Certification Program.
- Linux Professional Group (Stamford, CT.): Linux Professional Group and Course Technology Partnership.
Partnerships
- Rococo Software and Open Interface North America (Dublin, IRELAND): Open Interface and Rococo Software Partner to Provide Java Based APIs for Bluetooth Application Development.
- SoftConnex and Planetweb (FREMONT & REDWOOD SHORES, Calif.): SoftConnex and Planetweb Join Forces to Develop USB-Compliant Platform for Interoperability of Home Entertainment Applications.
Personnel and New Offices
- Oracle Corporation (ORACLEWORLD COPENHAGEN, Denmark): Oracle Opens Doors to European-Based Customers Seeking Education, Innovation and Collaboration.
Miscellaneous
- O'Reilly and Associates (Sebastopol, CA): O'Reilly Bioinformatics Conference Call for Participation.
Page editor: Rebecca Sobol
Linux in the news
Recommended Reading
The Strange Case of the Disappearing Open Source Vendors (O'Reilly)
Publisher Tim O'Reilly writes about the current state of open-source software. "The dot-com boom has ended, the VCs and the stock market are in retreat, and of all the much-hyped open source companies, only a few are left. Red Hat is still flourishing, but VA Linux Systems has taken "Linux" out of its name; Caldera, SuSe, Turbolinux, and Connectiva are joining forces; Eazel, Great Bridge, and Lutris are out of business, among many others."
Start-up creates futuristic 3D display (ZDNet)
ZDNet examines a new 3D "crystal ball" computer display that startup company Actuality Systems is working on. "The 3D mechanism behind Perspecta goes back to the 1960s but had to wait for high-resolution processing and display technology to catch up. Perspecta uses a collection of proprietary algorithms to slice 3D data into a format that can be replicated in three spatial dimensions. A projector then displays the data at 5,000 frames per second onto a rotating screen within the transparent sphere, in such a way that the eye sees a 3D image. The image comprises 198 two-dimensional slices, with a 768-by-768-pixel resolution for each slice." The $40,000 price tag will probably keep this technology out of the hands of most developers for now.
Wi-Fi users take cue from hobos (News.com)
News.com looks into a new method that is being used to identify publicly accessible wireless networks. "Warchalking, as the practice has been coined by Matt Jones, entails simply drawing a chalk symbol on a wall or pavement to indicate the presence of a wireless networking node. If you see one of these symbols, you should--in theory at least--be able to whip out your notebook computer equipped with an 802.11 wireless networking card, and log on to the Net."
Companies
Struggling Linux company swaps CEOs (News.com)
News.com reports that Caldera International has replaced CEO Ransom Love with Darl McBride, formerly of Franklin Covey. "Linux seller Caldera International has replaced longtime Chief Executive Ransom Love and agreed to buy back shares held by two major investors."
Ransom Love out as Caldera CEO (Register)
The Register examines Caldera's CEO switchover. "The one thing Caldera has that no other Linux vendor has or has ever had is its 16,000 resellers. Yes, Caldera is attuned to Unix now, but if the company can be swung toward Linux, as both Love and McBride believe it can, it represents a potent marketing force that can get Linux into small and medium-sized businesses in a way no other Linux company can match."
Linux server maker's coffers growing (News.com)
News.com writes about a $44 million investment that Linux server company Egenera has received. "Sun Microsystems has been strong among financial services companies, but Egenera, Intel and IBM are using Linux as a way to grab some of that business. Linux is a clone of Unix products such as Sun's Solaris operating system, so it's a relatively easy step for customers to move their software to Linux."
IBM's utility computing push (Register)
The Register covers IBM's Linux Virtual Services. "At the core of Virtual Linux Services is an IBM technology which creates "virtual servers" from the computing capacity of IBM zSeries mainframes running Linux. By partitioning the processing, storage and network capacity for each customer, IBM isolates individual demand on the system and maps resources to that demand, while providing the equivalent separation between customers that a physical server would supply."
IBM to let customers plug in to Linux (News.com)
News.com covers IBM's Linux Virutal Service announcement. "The service is one of the clearest examples of the move toward "utility computing," a trend that IBM rivals Hewlett-Packard and Sun Microsystems are also advocating."
MandrakeSoft eyes up AMD's Opteron (ZDNet)
ZDNet looks at plans by MandrakeSoft to port its Linux distribution to AMD's x86-64 architecture. "..And MandrakeSoft hopes the move will also help drive its Linux operating system into the enterprise. "A version of Mandrake Linux dedicated to these powerful 64-bit processors can certainly accelerate MandrakeSoft's growing adoption in the Linux corporate market," said MandrakeSoft chief executive Jacques Le Marois in a statement."
Opera expands role in China (News.com)
News.com reports that Opera Software will partner with Redflag Software Technologies to sell the Opera browser. "Redflag plans to integrate Opera's browser software into its applications for PDAs (personal digital assistants) and set-top boxes. The deal with Redflag marks Opera's first arrangement with an Asian reseller."
Business
Linux Heavyweight Comes to Pacific Northwest National Lab (Genomeweb)
Genomeweb looks at a new supercomputer project that HP is building for Pacific Northwest National Lab (PNNL). "It may not be much more than a pipsqueak right now, but the computer system now being set up at the Department of Energy's Pacific Northwest National Laboratory is expected to grow into the world heavyweight of Linux supermachines."
IBM zips up Linux deal (News.com)
IBM will be supplying Linux servers to zipper manufacturer YKK America. "YKK America will use an iSeries server, a special-purpose machine typically sold in conjunction with software, to run a Web site where customers can place and check orders and monitor inventory. The company will use IBM's Linux-only iSeries product, the lower-end i820 that can accommodate one to four processors and can run as many as 15 instances of Linux simultaneously."
Biotech group opts for Linux (smh.com.au)
Smh.com.au covers an agreement between IBM and Medica Holdings LTD. "Biotech company Medica Holdings Ltd today said it had formed an agreement with IBM that will allow its subsidiary Cytopia to speed up discovery of drug candidates to treat immune disease and cancer. Medica said the Melbourne-based Cytopia would deploy IBM's latest generation Linux supercomputing technology, allowing it to increase 100 fold its speed and selectivity in screening drug candidates."
Opera signs with RedFlag in China embedded Linux deal (Register)
China's RedFlag Software will offer embedded versions of the Opera browser, according to this report in the Register. "The deal is Opera's first big one for the Asian embedded market, as until recently Opera didn't include support for non-Roman alphabets, and as embedded is a new area for RedFlag (historically it has dominated the Chinese desktop market), it's potentially a major coup for the Norwegian company."
Linux goes to Hollywood (IT-Director)
IT-Director reports on the use of Linux for rendering movie animation. "The cost of producing high quality animation is rising, primarily due to its high labour cost - a fact that is compounded by the viewers increasing expectation of high quality animation. Disney's newest films use computer rendered images to retain the look of the company's original movies. All of this takes computing power and over the last few years Disney has relied on Linux clusters to deliver the necessary power."
Feeling the Heat in Redmond (TechWeb)
Network Computing looks at Total Cost of Ownership (TCO) issues, and why they are causing Microsoft customers to consider Linux. "For the most part, Microsoft customers have done little more than grumble about such treatment. That's because alternatives from the likes of Apple, IBM, Novell and Sun have their own major drawbacks, and switching from Microsoft is a costly undertaking in itself. But enter Linux and the exploding number of applications that run on the open-source OS, and the competitive landscape looks more inviting. Linux is no silver bullet; its biggest downside remains the dearth of experts to support it. As the platform has matured, however, it has gained enterprise credibility."
King Larry Proclaims the Land His (Wired)
Wired reports on recent comments made by Oracle's Larry Ellison. "'Why Oracle's future is so good is because of a concentration of spending on the few surviving suppliers: Microsoft, Oracle, SAP and IBM,' Larry Ellison told reporters on the sidelines of an Oracle conference here. 'It will be killing fields. We will grow and prosper. Customers will have fewer choices,' he said." The article also mentions that Oracle's software will run on Linux clusters.
Interviews
Who says the browser war is over? (News.com)
News.com interviews Opera Software CEO Jon von Tetzchner. "We wanted to make effective software, and speed was a part of that. Size was another. It means a lot more work for our programmers because we don't use ready-made tools or modules. We do it all by ourselves from scratch. That benefits both customers and ourselves; because we don't rely on other people's code, if there's a fault, we can fix it ourselves."
Caldera VP bullish on UnitedLinux (ZDNet)
ZDNet features an interview with Benoy Tamang, Caldera's VP of strategic development, on the topic of UnitedLinux. "At the same time, when it came to discussions and being on initiatives and boards for LSB or for Linux community vendors and Linux internationalization standards group, the same parties would be there at the same time. So inevitably the technical people started talking to each other, and just said, "Why are we duplicating all of these efforts and creating our own versions?" And therefore we found, for number three, a possible area where the Linux companies themselves didn't have to duplicate the basic elements."
CEO: Corel's on the comeback (ZDNet)
ZDNet features an interview with Corel president Derek Burney.
"ZDNet: Since you've abandoned Corel Linux for the desktop--and in light of Mac OS X, which has a Unix core--what is Corel's current vision for Linux?
"
"Burney: We created a desktop version of Linux because we thought that Linux was very powerful but difficult to use. The product was a technological success, but the market wasn't interested at that time, so we stopped developing the operating system. But we do offer applications for Linux. Nowadays Linux is an operating system just like Mac or Windows, so if there is a business case to justify creating an application, then we'll do it.
"
Red Hat: Open source is our focus (ZDNet)
ZDNet interviews Red Hat CEO Matthew Szulik on UnitedLinux. "But my perspective on this whole UnitedLinux activity is that it takes an awful lot of capital to build a successful global franchise to support ISVs like Oracle and Veritas and TIBCO and the main enterprise ISVs. Certainly the Dell, the Compaq and HP announcement that we just made yesterday--it requires an awful lot of time and attention and capital. And so therefore it's hard for me to see how these four Linux vendors--the hybrid approach that they seem to be consolidating into--is going to be able to succeed with the demanding requirements of the customer and the support that's required to compete on a global basis."
It's time for ICANN to go (Salon)
Salon interviews EFF founder John Gilmore about ICANN, the Internet Corporation for Assigned Names and Numbers. "The strings that were pulled before and during the Clinton administration's "Green Paper" and "White Paper" process, that ultimately resulted in the creation of NewCo, also known as ICANN, were pulled by SAIC. SAIC is a very interesting for-profit company with a multibillion-dollar annual revenue, most of which comes from classified contracts with the U.S. military. What's even more interesting about SAIC is that there is no external control on it: It is "employee-owned," i.e., there are no outside stockholders. If you leave the company, you have to sell your shares in it. SAIC's board of directors reads like a who's who of the military-industrial complex (former secretaries of defense, spy-agency heads, etc.). When you read about the government wasting billions on "homeland security," guess who gets it. SAIC's home page features their new brochure on "SAIC -- Securing the Homeland."" (Thanks to Joern Nettingsmeier)
Resources
Embedded Linux Newsletter for June 27, 2002
The June 27, 2002 edition of the Linux Devices Embedded Linux Newsletter has been published. Topics include Red Hat's embedded Linux strategy, Sharp's new Zaurus PDA, KORGANIZER/EMBEDDED 1.0, GNU BAYONNE 1.0, the Mira smart display device, and more.Setting Up an Old 386 on Your Home Network (Linux Journal)
Here's a Linux Journal article on how to turn an old 386 machine into a functioning Linux box. "New problem: when I told my wife that I had used MS software to get her system connected, she was not amused at all and demanded that I use open-source software only. It did not sway her when I explained that she was already running MS-DOS. Her reasoning was that MS-DOS was written before MS became the evil empire, so it was okay."
Reviews
Applications for the Sharp Zaurus (Linux Journal)
Linux Journal looks at fun things to do with a Sharp Zaurus PDA. "Pull up a Zaurus and make yourself comfortable. You just got your Zaurus and you are very proud of it. You tried every single application, then even typed some commands in the terminal, like uname -a, ping localhost and ifconfig to prove to yourself that it really is a GNU/Linux machine in the palm of your hand. You even know where most of the keys are but still may be looking for the pipe (hint: read more.sbc.co.jp/slj/doc/pdf/SL5000KeyAssign.pdf to find out that bar = Shift-Space)."
Why KDE applications have a bright desktop future (LinuxWorld)
Nicholas Petreley reviews KDE on LinuxWorld. "Put simply, the KDE class libraries and examples are a brilliant testimony to reusable objects done right. Features such as the sophisticated file dialog and toolbar functions are obviously a part of the standard KDE class library, which is why most KDE applications now include them. If you upgrade the file dialog, all applications that use it get upgraded automatically."
Sun and the new Office space (Arnnet)
Con Zymaris discusses OpenOffice in this Arnnet opinion column. "If your client has a mixed environment of Windows, Sun or Linux workstations, OpenOffice is perhaps your best choice. Finally, as a recent Gartner report suggests, many of the firms adopting OpenOffice are best served if they analyse which of their staff have a strong business case for the continued use of Microsoft Office (perhaps 20 per cent of them) with the remainder getting OpenOffice. As the documents and templates can generally be interchanged between these staff groups and the application operation is uncannily similar in most respects, this strategy makes sense."
Linux standard gets the go-ahead (ZDNet)
ZDNet examines the launch of the Linux Standards Base certification program. "The certification program is aimed at developers, software vendors and Linux distributions alike, and is designed to allow customers to easily identify software that has gone through the standardization process."
XML in Mozilla 1.0 (WebReference)
WebReference reviews the XML processing capabilities of Mozilla 1.0. "Mozilla offers a rich XML processing environment, where handling XML as a document format and exposing XML documents through DOM access functions is only the beginning."
Analysts examine UnitedLinux strategy (ZDNet)
ZDNet has published reviews by two industry pundits on the UnitedLinux strategy.theKompany's version of COBOL looks promising (NewsForge)
NewsForge reviews KOBOL, a commercial COBOL compiler that is being offered by TheKompany. "Speaking of classical batch, batch processing is about all you can do with KOBOL. Because other than displaying messages at the console, there isn't much interactivity available. At least not yet. But murmurings on the KOBOL mailing list indicate there may be a GUI in KOBOL's future." Thanks to Joe Klemmer.
Miscellaneous
$200k prize offered for getting Linux to run on Xbox (Register)
The Register reports that an anonymous donor has offered a cash prize for getting Linux to run on Microsoft's Xbox, legally, by the end of this year. "Is this for real? According to Michael Steil of the Project, the identity of the donor "is known to the project leaders and well-respected," so there seems at least a possibility that the money exists and will be paid up. And finding "a simple and completely legal way to run Linux on the Microsoft Xbox" before 1st January 2003 could be a tall order."
Want $200,000? Tweak Linux for Xbox (ZDNet)
ZDNet takes a look at the Xbox Linux project. "A software development project aimed at getting the Linux operating system to run on Xbox received a boost on Monday, when an unnamed donor agreed to pay successful contributors a total of $200,000."
Report: Brace for new wave of attacks (ZDNet)
ZDNet looks at the Apache worm and other network attacks. "The situation is made worse by a worm discovered over the weekend that makes use of the Apache flaw, a vulnerability in the mechanism for handling "Chunked Encoding". The worm is thought to be capable of spreading only to Web servers running the FreeBSD operating system--an open-source variant of Unix--and which have not had a patch applied for the recent flaw. Although few people have reported the worm, it is thought to be infecting vulnerable Web servers worldwide."
Apache worm barely squirms (News.com)
News.com reports that the Apache worm is not spreading or doing much damage. "However, there are indications that the flaw exploited by the worm appears in other platforms, which could mean the advent of more damaging worms."
How we could have prevented an Apache worm (ZDNet)
ZDNet gives a good history of the Apache worm. "On the one hand, ISS jumped the gun. It should have notified only Apache, then waited for its response before going public. But, on the other hand, ISS did a service by exposing a zero-day exploit--those that take advantage of vulnerabilities known only to malicious users, not the general public--and preventing a sneak attack."
IT Advances Research On Climate (TechWeb)
Information Week reports on the use of a cluster of Dell 2450 PowerEdge servers by researchers at Johns Hopkins University. "Researchers at Johns Hopkins University in Baltimore are breaking new ground with their study of the Atlantic Ocean's effect on the climate. The project began in earnest 18 months ago when the university chose to run its data collection and analysis on a cluster of Dell PowerEdge servers running Red Hat Linux 6.2."
Ballmer to China: 'Steal all the software you want, so long as it's ours' (Register)
The Register looks at Microsoft's $750 million investment in China. "Most interestingly, Ballmer claimed not to have extracted any promises from the Chinese government, according to Reuters. This of course means that MS is prepared to see its precious intellectual property defiled in every way imaginable just so it can get a toe-hold on the mainland."
Microsoft to pour $750 million into China (News.com)
News.com reports that Microsoft has pledged to donate $750 million to China over the next three years. "Ballmer told reporters that the deal with China covers a "wide variety of fronts: outsourcing, exports, local training, development--just to name a few." He said China had not made any specific pledges in return. "There's no real commitment that I would say is part of the agreement that we signed," Ballmer said during a news conference."
Life with Linux: What YOU think of the OS (ZDNet)
ZDNet looks at Linux from a Windows user's perspective, where virtual desktops are something new. "In his second "Life with Linux" column, Coursey raved about virtual desktops, a feature that lets you create multiple workspaces, each with its own set of programs and windows. "This may sound like switching between apps in Windows, but it isn't: Each desktop preserves its own arrangements of windows, so you don't have to do all that alt-tabbing, opening and closing of windows, or hunting around the task bar to find the apps you want," he wrote." We eagerly await their discovery of the X window system's remote display capabilities.
Page editor: Forrest Cook
Announcements
Resources
LPI-News for June, 2002
The June, 2002 edition of the LPI News is out with the latest news from the Linux Professional Institute.The LSB rolls out everything with v1.2
The Linux Standards Base has reached version 1.2. "The Free Standards Group (FSG) board of directors approved the Linux Standard Base (LSB) workgroup's gLSB, archLSB-IA32, and archLSB-PPC32 written ABI specifications."
Free Software Distribution Project
Jon Allen has sent us an announcement for his new Free Software Distribution Project, which aims to distribute Linux and BSD software to the masses. Click below for more information.Linux Gazette #80 available
The July, 2002 edition of the Linux Gazette is out with lots of Linux tips and tricks.YAPC Movie Available (use Perl)
Use Perl mentions the release of a movie that was made at this year's YAPC. "Part Homer's Odyssey, part Homer Simpson, it documents a young Python programmer's attempt to get advice from twelve Perl gurus. The movie (in QuickTime, Windows Media, and RealMedia formats), script, cast, and more are all online."
Upcoming Events
Debconf 2 - July 5-7, 2002, Toronto, Ontario, Canada
The 2nd Annual Debian Conference begins on Friday, July 5, 2002 in Toronto, Ontario, Canada. Click below for more information.PC Expo WrapUp (Linux Journal)
Linux Journal covers the PC Expo in New York. "Open source, although not hyped, was everywhere. A fax server by Morgan Hill, California-based Castelle, basically a black box that acted as a multiuser hub for outgoing and incoming messages, runs Linux. Although the screenshots in the company brochure portray a world full of Windows, Tux is running the show."
LinuxTag 2002 report (Mstation)
Frank Neumann summarizes his experience at LinuxTag 2002, with an emphasis on Linux audio developments.Crystal Space Contest Reminder
Crystal Space will be holding a game contest with cash prizes, the deadline is August 1, 2002. Click below for more information.Events: July 4 - August 29, 2002
| July 4 - 7, 2002 | UKUUG Linux Developers' Conference | (University of Bristol)Bristol, UK |
| July 5 - 7, 2002 | Debconf 2 | (York University)Toronto, Ontario |
| July 11 - 14, 2002 | Uniforum NZ 2002 | Auckland, New Zealand |
| July 18 - 20, 2002 | Boston GNOME Summit | Boston, Mass. |
| July 20, 2002 | Fourth Australian Open Source Symposium(AOSS4) | (UNSW, Sydney)Sydney, Australia |
| July 22 - 26, 2002 | O'Reilly Open Source Convention | (Sheraton San Diego Hotel and Marina)San Diego, California |
| July 23, 2002 August 27, 2002 | Seattle Ruby Brigade Meeting | Seattle, Washington |
| August 1 - 2, 2002 | 3rd annual Bioinformatics Open Source Conference(BOSC 2002) | Edmonton, Canada |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 12 - 15, 2002 | Linux World Conference & Expo | (Moscone Center)San Francisco, California |
Web sites
LinuxDailyNews launches
A new Linux news site, LinuxDailyNews, has announced its existence. It is a combined operation by the folks at Open For Business, DesktopLinux,com, LinuxDevices.com, Linux and Main, and KernelTrap.KDEnews.UNIXcode.org Launched!
KDE.News has an announcement for a new KDE information and discussion hub known as KDEnews.Version 1.0.1 of Loads of Linux Links
Barbara Irwin has sent us a notification for the next version of LoLL. Loads of Linux Links is a GPLed meta web site of searchable Linux links. Check it out for all of your documentation needs.Linuxquestions.org reaches the 2 year mark
The linuxquestions.org site is celebrating its second birthday, it has had 108,544 posts and 13,452 members.
Software announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted by section,
- Sorted by license.
Page editor: Forrest Cook
Letters to the editor
Security & Open/Closed Source
| From: | Casey Bralla <Vorlon@NerdWorld.org> | |
| To: | Letters@lwn.net | |
| Subject: | Security & Open/Closed Source | |
| Date: | Thu, 27 Jun 2002 17:55:35 -0400 |
I find it interesting that the same community which (rightly) lambasts
Microsoft for concealing security problems with their programs now cries
foul when somebody exposes an open source breach that hasn't been patched
yet.
isn't that the main argument Microsoft makes about not wanting to
publicize security problems? (Granted, I think most of their arguments
are absurdly self-serving.)
How can we complain about Microsoft getting angry over disclosures of (as
yet unpatched) security problems, and then not hold Apache to the same
standard?
--
Casey Bralla
Chief Nerd in Residence
The NerdWorld Organisation
Vorlon@NerdWorld.org
Security vulnerabilities...
| From: | dps@io.stargate.co.uk, stargate.co.uk@io.stargate.co.uk | |
| To: | letters@lwn.net | |
| Subject: | Security vulenrabilities... | |
| Date: | Thu, 27 Jun 2002 16:38:59 +0100 |
IF a security, or other, bug turns it in my software the bug reporting
procedure is simple: send an email to me, The email address is in the
README file if not elsewhere as well. Ideally send me a patch, way to
reproduce, or at least some indication the location of the bug. Hopefully
the fact I supply source makes the latter easier to do :-) Given a
non-stripped binary and core dump then typing bt in gdb would give me
quite a few clues a significant fraction of the time.
Given only stripped binaries then there is little I can tell M$ if windows
crashes, as it does regularly for lots of people---newer versions are
better than older ones but both still crash pm a regular basis, have
memory leaks, etc. Very few people report these because the circumstances
which trigger the bugs are obscure and it is "normal". M$ has done nothing
to fix them for ages. Some of these bugs are probably usable for security
exploits but nobody really has any clues until some back hat demonstrates
them (or a white hat discovers them and reports them to M$ and security
mailing lists).
I would expect contacting one of primary developers, which is presumably
findable in a README file, would be an appropiate place to send a
security hole to so it can be closed. Finding a good vendor contact is
often a lot more difficult.
Matthew, you told a pork pie
| From: | Leon Brooks <leon@cyberknights.com.au> | |
| To: | matthew_newton@pcworld.com | |
| Subject: | Matthew, you told a pork pie | |
| Date: | Fri, 28 Jun 2002 10:52:22 +0800 | |
| Cc:: | letters@lwn.net |
> since Corel abandoned its effort, no vendor has concentrated
> strictly on making Linux friendly enough for newbies
Mandrake and SuSE have for years both been heavily focused on making things
easier for newbies. I favour Mandrake, friends favour SuSE.
For an example of an isolated feature aimed in this direction, this Mandrake
8.2 box has a standard-looking menu layout, plus a couple of useful extras,
one labelled `What to do?' which has entries like `Use the Internet' leading
to the most common tools (mail, web, news, ICQ, IRC, AIM, etc).
This is but one feature of scores. HardDrake sorts out new hardware amazingly
well. In the case of a software modem with only proprietary drivers, it
referred me to a website that I could download the drivers from.
While Mandrake and SuSE are obviously putting a huge amount of effort into
making these things easier, and getting results (e.g. WalMart are ramping up
to ship PCs with Mandrake pre-installed, the French government has also
granted them a contract to supply, and never mind the newbie focus 'coz the
Linux audience apparently likes them as a server too), RedHat haven't been
idle, and nor have other teams like Debian. Have you tried Debian Jr - for
kids! - yet?
Another distribution which (sigh) needs mentioning is Lindows. Easy to use,
yes, but also running as root, and potentially with no password. Expect to
see cracks targeted at that vulnerable arrangement as Lindows gets market
share - if it does, they're not exactly bending over backwards to comply with
the GPL for the software which they have already fielded.
Finally, while Gentoo isn't so easy to install (and what newbie installs
their own OS anyway?), it certainly is easy to maintain and runs well on
older, less able hardware.
Returning to the main point, ease of use: it isn't everything, but in this
case you can have your cake and eat a certain amount of it too.
For example, if you equipped a new computer lab with dual servers and 20
Mandrake LTSP terminals all built from COTS hardware, you would have 20
easy-to-use and even MS-Office-compatible workstations with 17" screens,
accelerated 3D, sound and optical mice for around AUD$20,000+GST (USD$11,300,
GBP£7,400) including hubs/switches and cables. Power on, and in seconds
you're working. I have a baby network like this running in my shed as I type.
Ease of use goes beyond clicking on WIMP features. You can layer Mosix onto
this and have the equivalent of a 37GHz supercomputer at your disposal for no
extra cost beyond labour (install package, configure, start service). Updates
can even be completely automated by running one service. That's a lot easier
to do than drumming up the money to buy a supercomputer, and demonstrates
ease of use for the support people as well as the users.
You really should know what you're talking about _before_ you put finger to
keyboard for an article... and a public error requires public correction.
Cheers; Leon
PS if you're a SlackWare fan: you haven't been overlooked. SlackWare have
never claimed that their distro is easy to use. If this is a deliberate
policy, while it costs marketshare it does drive up the quality of
fana^H^H^H^Huser.
Page editor: Jonathan Corbet